# Proof Key of Code Exchange (PKCE) PKCE ([RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636)) enhances the security of the OAuth 2.0 Authorization Code Flow by protecting against authorization code interception attacks. It is particularly important for **public clients** (e.g., mobile apps, single-page apps) that cannot securely store a client secret. ## PKCE Flow in Corppass Corppass supports PKCE as part of the **Authorization Code Flow**, requiring the client to send a **code challenge** during the authorization request and later verify it with a **code verifier** when exchanging the authorization code for tokens. ### How PKCE Works #### **Step 1: Client Generates a Code Verifier** The client generates a **high-entropy random string** between 43–128 characters for each authentication request. > Example:\ > `6I9tQd5tKn7Uy9ZfwEqd-YC71gSVfzcfVcyXLc34vQo` #### Step 2: **Client Derives a Code Challenge** The code verifier is hashed using **SHA-256** and then Base64URL-encoded to produce the **code challenge**. > Example (Base64URL of SHA-256 hash):\ > `hu0mAmPq8n91vRqudsGmriiG7blJDJS0bsDeOmEt17M` #### Step 3: Client Sends Authorization Request with Code Challenge (via PAR) The client initiates a **Pushed Authorization Request (PAR)** to the `/request` endpoint, including the following in the request body: ```http POST /request response_type=code client_id=abc123 .... code_challenge=hu0mAmPq8n91vRqudsGmriiG7blJDJS0bsDeOmEt17M code_challenge_method=S256 ``` #### Step 4: **Redirect User to Authorization Endpoint with `request_uri`** After receiving the `request_uri` from `/request`, the client must redirect the user to the `/authorize` endpoint, passing both `client_id` and `request_uri` as query parameters. > Example: > > /mga/sps/oauth/oauth20/authorize?...\&client\_id=abc123\&request\_uri=urn:ietf:params:oauth:request\_uri:h8YQPVV0Dgm5MGaD\_koAm #### Step 5: Authorization Server Responds Corppass responds with an **authorization code** upon successful user authentication. #### Step 6: Client Sends Token Request with Code Verifier The client exchanges the authorization code for an **ID token** and **access token**, providing the **original code\_verifier** to prove it generated the code challenge. > Example: > > `client_id=xyz&...&code_verifier=6I9tQd5tKn7Uy9ZfwEqd-YC71gSVfzcfVcyXLc34vQo` #### Step 7: Authorization Server Verifies Code Verifier Corppass recomputes the `code_challenge` from the received `code_verifier` and compares it to the original challenge sent in the authorization request. If they match, the token request succeeds and tokens are issued.